On the elevator I double-checked my watch. It was already Wednesday. The week was going by too fast. I stripped off my suit coat as I waited to reach my floor. Then I slapped my proximity badge on the reader, heard the familiar tones, and opened the door to the lobby.
As I made my way to my office, I returned the friendly wave of Ellen, the administrative assistant who sits in a cubicle next to my office. I do not merit an administrative assistant, but she toils nearby on behalf of several key executives in my company. As I hung my coat on the hook behind the door, I found myself listening in on Ellen's side of a rather noisy phone conversation.
"I'd like to know if you can change Ms. Hansen's return flight from Chicago," she said. "Ok, I'll hold." Pause. "Yes, it's a return to Washington Dulles airport." Pause. "I'm not sure that will work with her schedule. Let me call you back." Click.
I heard her dial, and after the requisite wait for a voice mail prompt, she said, "Hi, Julie, it's Ellen. The 8:00 flight is booked solid, but you could go to the airport and try standby. They said you could get on the 5:30 if you could get to the airport in time from your meeting. Call me back and let me know what you want to do."
For several minutes it was quiet. All I heard were the muted sounds of fingertips on keypads and the occasional whir of the printer as someone sent a document to hard copy. Then Ellen's phone rang.
"Hi, Julie. How's your trip going?" Pause. "Un huh. Sure." Pause. "OK. I'll see what I can do, and I'll leave you a voice mail." Click. More dialing.
"Hi, this is Ellen calling on behalf of Ms. Hansen. Her locator number is XYZ123. I need to see about changing her flight from Chicago today. She can't make the 5:30 to Dulles but wants to know if you can route her through another airport if the 8:00 flight is booked. She needs to get back for a meeting tomorrow." Pause.
This conversation continued to seesaw for several more minutes, and ultimately resulted in Ellen leaving another voice mail for Julie Hansen. Around noon, I walked by Ellen's desk and saw her gone-to-lunch sign on the partition. I also noticed the blinking red voice mail light on her phone. I chuckled.
Around mid-afternoon, I passed Ellen again as I was returning to my office from a meeting.
"Hey, were you finally able to get Julie's flight back rearranged? I couldn't help but overhear," I said.
"I hope so. She's going to try to get on the 8:00 as a standby, hoping her frequent flyer status helps. If not, I got her a refundable flight on another airline as backup." "That sounds like a lot of work."
"It was," she responded and exhaled noisily to drive the point home. "It took a good portion of my day, and now I'm behind on these sales reports."
Late the next evening as I was getting ready to leave the office, I noticed Julie in her office poring over a stack of receipts and paperwork. She was in the process of taping her taxi and restaurant receipts to letter-size pages as the company reimbursement policy dictates.
"Hi, Julie. Were you able to finally get back from Chicago last night?"
"Yes, but it was a real pain," she replied. "I went to visit our big client in Chicago, but they had a security crisis and could only give me and the engineer a half hour. I was at least able to get standby on the 8:00 flight back to Dulles, but that lousy summer weather in Chicago did me in again. We were stuck on the ramp for two hours while a thunderstorm blew over. I didn't get back to my house until after one in the morning. Then I had that big presentation this morning. I'm bagged. On top of that, Ellen has been busy all day trying to get the company reimbursed for the back-up ticket I had her buy. I guess that wasn't as good an idea as I had thought."
"And now you have to do the mandatory origami project with your travel receipts. Good luck. I hope you can get home for a decent dinner this evening."
As I headed out to the elevator lobby, I mused over the all the resources that had been consumed for that half-hour presentation. Granted, when you are a vendor or service provider, you are always at the mercy of your customers' schedules. However, there were aspects of this situation I found truly wasteful.
First and foremost, I have always felt that having someone make your travel arrangements is only effective for the most senior people in large companies. These executives turn over their entire scheduling process to an assistant who knows their work and private life intimately and tracks every waking moment. However, for most everyone else, it seems an uneconomical luxury.
In this case, Ellen had to play the role of middleman, transferring questions and responses between two parties who should have simply linked up directly. The airline representative would have put forth the options, and Julie would have been able to quickly decide among the alternatives. Not only would this have eliminated all the back- and-forth telephone calls and voice mails, it would have freed up Ellen to complete the sales reports on time.
When looking at the waste, it's important to consider all the other incidentals that became part of that trip. In addition to the pre-travel planning and mid-travel changes, the days that followed required time to work on refunds and expense reports. It was undoubtedly a very costly half-hour meeting.
I am not sure that's exactly how Julie assessed it. We are all confronted with episodes like Julie's excellent adventure; they are often one aspect of our job. Certainly, she didn't plan to waste that much time and effort, but an objective look at the cost-benefit ratio would be an eye opener. I refer to it as someone who is busy being busy. Unless you take the time to professionally evaluate these processes, it's easy to mistake this time- consuming activity for accomplishment.
Many security programs I have had the privilege to review also suffer from a certain amount of this busy work. It's in the nature of all large tasks. In last month's column, we discussed the importance of having a plan, not merely a story. If you've already taken that advice and have a sound plan, then the key for you now is ensuring that you are not busy just being busy.
A critical part of your plan will be a set of objectives with realistic timelines. One government chief information security officer I know even ensures his subordinates are effectively meeting planned objectives by maintaining a chart that tracks progress in all the identified areas. It is a simple matrix diagram with green, yellow and red squares that identify if an objective is on track (green), needs scrutiny (yellow), or is behind schedule (red). This chart forms the basis for many of his meetings.
If you think this means you will eventually complete your job and be able to relax or retire, forget it. In the security business, there are always vulnerabilities to assess and threats to analyze. New telecommunications systems, corporate acquisitions and emerging threats will be there to ensure none of us will ever enjoy the luxury of professional boredom. But if you are able to identify the security-relevant aspects of these changing environments and build a plan to address the challenges they bring, you can focus on those activities that most effectively mitigate your organizational risks. By tying your activities to milestones in the plan, you can ensure you're focused on those key accomplishments that drive your security program.
Certainly, there are many daily activities that can dramatically impact your productivity. However, if you have a plan and track key milestones, you are in a better position to demonstrate your ability to design, implement and manage a complex security program. You will be busy, but you will be busy about the job of protecting critical company assets.
John McCumber is an IT security professional and the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the new book from Auerbach Publications. He can be reached at [email protected].
